CA Single Sign-On (CA SSO),The Innocent Bystander

Alec Cartwright

Security

BT PLC

Identity Services Architect

SCX14S

#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type

of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation

3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Abstract

You may be familiar with the refrain “I can’t login, it must be my single sign on that’s failed.”

In this presentation I will take a look at BT’s experience of running a CA Single Sign-On (CA SSO) infrastructure; what we have done to reduce the chance of failures and to quickly diagnose issues to get them to the right people who can fix them.

Alec Cartwright

BT

Identity Services Architect

4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Agenda

WHERE DOES BT USE CA SSO

HOW DO WE STAY CALM

WE CAN ALWAYS GET MORE

SUMMARY

1

2

3

4

5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

BT Overview

Communication Services and Broadcaster

• BT operates in 170 countries

• Revenue 18 bn (£ GBP)

User Identities

• 150,000 employees and partners

• 27M+ online customer

Where does BT use CA SSO

7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Where is CA SSO Used

450+ applications

• Customer facing portals

• Internal applications

50+ federations

• Services behind customer products

• Employee services

Includes many critical to BT’s ability to trade

• Cost BT

• Impact BT’s brand

8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

So When Things Go Wrong…..

It’s easy to blame CA SSO

9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Availability Requirements

Must always be available

• 99.995% availability target

• No scheduled down time

• There are some “very hot” times

Transaction volumes

• 30M transactions per day

• Peaks of 7,000+ TPS

How Do We Stay Calm(Coping with “I Can’t Login”)

11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

We Needed to…

Architect CA SSO for maximum availability

Know the health of the infrastructure

Have processes that

• Quickly identify issues

• Send details to the people who can fix the problem

Deployed For Resilience

13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Policy Server – Local Resilience

Single build for all policy servers

Cluster of 3 policy servers

Use web agent load balancing

Service still resilient if one is lost

Allows in service upgrades

Application Web Server

Policy Servers

Web Agent Load Balancing

14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Policy Servers – Geographic Resilience

Agent failover across all sites

Be careful – don’t configure failover storms

Site 1 Site 2 Site 3 Site 4 Site 5

Policy Servers

Web Agent Failover

Application Web Server

15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

We Need to Always Take Orders

Split consumer / employee applications

One will always be working

Separate policy stores

16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Other Stuff

Components

• Federation servers

• Policy/Key/Session store database

• Login servers

• Admin servers

• Load balancers and switches

Monitor And Alert Everything

18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Set Thresholds

All is OK

Attention

Its getting criticalALERT

WARNING

19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Basic Monitoring

CPU Memory

Disk usage Processes

20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Policy Servers

Oneview Monitor

• Server Queue Length

• Priority Queue Length

Log files

• “Connection Dead”

• “Timeout Expired”

• “Failed to connect to datasource”

• “Unexpected Network Error”

• “Wait Timeout. Code is”

• “Delete of tombstone failed”

Routing Issues To The Right People

22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Test Page

On CA SSO team’s

infrastructure

Simple policy – a page protected

for all users

Confirms infrastructure is

working

Helpdesk can walk users

though access

23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Know Your Infrastructure

We Can Always Do More

25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Review and Continuous Improvement

26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

More to Do

CA APM being deployed

• Improved level of monitoring

• Identify baseline

• Set alerts

Deploy CA Directory

• Improved policy store resilience

Summary

28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

What We Have Achieved

100% availability for

the service

We proactively warn about developing

issues

CA SSO is seen as the

“Innocent Bystander”

29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Leveraging the Experience

30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Recommended Sessions

SESSION # TITLE DATE/TIME

SCT05SRoadmap: CA Advanced Authentication and CA Single

Sign-On11/18/2015 04:30 PM

SCT30S Panel: Securing you in the Cloud 11/19/2015 02:00 PM

31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Q & A

32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15